The Role of Pre-Operational Surveillance in Terrorist Attack Planning

by Luke Bencie and Leo West

It should come as no surprise that the aspect of the terrorist attack planning cycle in which the terrorist is most easily detected, is that during the pre-operational surveillance of intended targets.  This “exposed” phase has been the downfall of many would-be terrorists and is usually credited as a key indicator of potential threats. It has also proven significant in post-attack investigations, where surveillance video has helped piece together the evolution of plots for use in assisting with future mitigation strategies.  

However, government officials are often reminded that the investigations of 9/11, the 2005 London Underground bombings, as well as of the 2008 terrorist attacks in Mumbai (just to name a few) all reported instances of “casing” prior to the event.  A good example is that of Ramzi Yousef who visited the World Trade Center (WTC) several times prior to his delivering the bomb to the complex on February 26, 1993. It’s known that he initially considered some Jewish targets but during his target selection process, chose the WTC instead and studied its building complex to determine the best method for his attack.  

Law enforcement and intelligence agents as well as private security officers have all shown an increase in vigilance and the overall effectiveness of their counter-surveillance methods, not to mention the assistance they receive from heightened public awareness.  Yet despite these advances, terrorists have also adopted new and better techniques to achieve their intent, and these ever evolving techniques are of continuing concern to all of us involved in homeland security. 

Surveillance during the Terrorist Planning Cycle

Fortunately, the often-followed terrorist attack planning cycle, which includes several opportunities for surveillance to be detected by security/law enforcement, lends it self to identifying impending danger.  During this sequence of events, surveillance is required by the terrorist(s) for determining target selection. However, surveillance does not necessarily remain constant. The degree to which surveillance is conducted will ultimately depend on target accessibility, the comfort the terrorist(s) has conducting surveillance, and the intended results from the planned attack.

The initial step of target selection usually involves a modest casing of a potential target, such as taking a tour of a government building or tourist attraction, driving along the outskirts of a public utility or other critical infrastructure, or simply doing a “Google Earth” search on-line.  It is only as an operational plan starts to unfold that “riskier” types of surveillance are initiated. Riskier behavior is that which may arouse the suspicions of personnel on-site at the target and include activities such as probing the facility (testing the limits of entry before being questioned), incorporating the use of photography or sketching, and/or eliciting information from those of work on the premises.  The results from this subsequent surveillance phase may determine whether or not the operational attack is feasible and whether surveillance should be continued. 

In order to determine target legitimacy, the terrorist planning team must consider a risk/gain assessment.  This assessment examines the attack and escape route(s) to be used (though escape may be unnecessary), consideration of the in-place visible and not-visible security measures, as well as considerations for maximizing the desired attack outcome or impact - i.e. the resulting casualties, physical and financial damage and/or amount of intimidation and coercion that can be inflicted upon the population.  

Once the target has been selected, the degree and method(s) of surveillance may be either increased or decreased.  However, it is unlikely to be discontinued altogether. It should be noted that surveillance does not necessarily always have to be conducted with an “eyes on” visual approach.  Examples of continuing surveillance from a distance could include monitoring the target’s website for updated information (i.e., closures due to construction or weather), using satellite imagery to determine the location of fence lines or natural barriers, and/or following open-source reporting as to whether or not important individuals will be at the location during the time of the attack.  In fact, to demonstrate the use of open source surveillance that a terrorist might utilize, one only needs to look as far as the Al-Qaeda training manual, “Military Studies in the Jihad Against the Tyrants” which states in “Lesson 11: Espionage – Information Gathering Using Open Methods”:

“Using this public source openly and without resorting to illegal means, it is possible to gather at least 80% of information about the enemy…it is possible to gather information through newspapers, magazines, books, periodicals, official publications, and broadcasts…attention should also be given to the opinion, comments, and jokes of common people.”

Indeed, most terrorist surveillance is rudimentary and is usually conducted by one person, or perhaps a very small group.  As a result, the person conducting surveillance must place himself (or herself) in a position to see the target – and thus risk being seen – with far more frequency than would be required of a large, professional surveillance team.  The more frequently a person shows his/her face, the more likely the chance of detection.  Unfortunately, groups like al-Qaeda have been quick to recognize these shortfalls and have provided updated instruction to their followers.  Both the al-Qaeda training manual and the English language on-line terrorist magazine “Inspire” (created by the late American-born Muslim cleric Anwar al-Awlaki) provide tips on how not to be caught while conducting surveillance.  

According to the al-Qaeda training manual “Twelfth Lesson: Espionage – Information-Gathering Using Open Methods” to ensure a successful surveillance mission, “brothers should use false license plates” and ensure that a “car’s interior light is disabled in order to hide the identity of the surveillance members sitting inside.”  Similarly, environmental activists, such as The Ruckus Society offer a downloadable “Scouting Manual” which informs readers how to harmlessly disable CCTV cameras with “Spray Starch”, along with “the six principal ways to use scanners to overhear secure radio conversations at a target facility.”  Unfortunately, operational tradecraft once taught to law enforcement and intelligence personnel is now readily available to any “wanna-be” terrorist with Internet access. 

Methods of Surveillance

The types of surveillance methods employed will also vary.  Surveillance techniques can be broken down as active surveillance, passive (or fixed) surveillance, technical surveillance, and progressive surveillance.  These methods can be used individually, or in combination for greater effectiveness. There are, however, obvious limitations and risks to each.

Where active surveillance is a short-term casing of a facility or infrastructure, passive surveillance requires an established observation post.  Although usually more expensive and often precarious for the operator, a fixed surveillance posture provides the most telling information about target vulnerabilities.  When al-Qaeda bombed the U.S. embassies in Africa in 1998, the U.S. Department of State’s investigations into the attacks revealed key information about the extent of the surveillance operation used to plan those attacks.  In Nairobi, Kenya the terrorist plotters had assimilated into the local culture by setting up a commercial fishing business and establishing organizations, ostensibly for the purpose of conducting humanitarian relief work.  A good cover story, along with an unassuming integration into the host environment, can be virtually undetectable and is of high priority for terrorist planners (hence al-Qaeda’s push for more Fort Hood-styled, “lone wolf”, attacks by followers in the western world).  

Technical surveillance, although a powerful tool, lends itself to detection.  It can also be difficult to acquire, install, and/or operate the necessary equipment.  Technical surveillance is usually associated with foreign intelligence services that may support terrorist activity (such as the Syrian intelligence service, which was implicated by the UN in the assassination of Lebanese Prime Minister Rafik Hariri).  To increase their chances of not being identified, terrorists have moved toward a combination of active and passive surveillance techniques known as progressive surveillance.   

Although effective, progressive surveillance relies on a multitude of people to case and probe a facility at random times.  In some instances surveillance may even be suspended for extended periods simply to lull individuals into a false sense of security.  In order to prevent an arousal of suspicion, terrorists will avoid repetitive appearances and revert to a low-profile demeanor. Examples of surveillance teams minimizing their profile include:

• The use of children (either as a probe or as “foreground cover” for video tapping the real target in the background)
• The use of the elderly
• The use of women
• The use of a group (ex: men playing soccer in a field adjacent to a target)
• The use of the handicapped or mentally unstable 
• The use of beggars
• The use of street venders
• The use of taxi drivers

In addition to the actual surveiled target, some logistical providers, who support the target, may also come under surveillance from the terrorists.   Often required for mission success, items such as delivery vehicles, badges, explosive materials (chemicals, fuels, oxidizers), or uniform distributors/dry-cleaners may also undergo surveillance prior to theft.   A terrorist’s ability to obtain logistical supplies often determines whether or not an attack will need to be violent and destructive (a bold attack which could either be direct or from a standoff distance) or clandestine and covert in nature. 

As is often the case, those conducting the surveillance are not the same ones who carry out the terrorist attacks.  Many times, terrorist members who conduct surveillance often leave the country prior to a second team initiating the attack.  This was the case with the 1998 US Embassy bombings in Kenya and Tanzania in East Africa, the 1996 Khobar Towers bombing, and the 2005 bombings of three American hotels in Amman, Jordan.  According to the testimony of one of the planners of the Africa bombings, Mohammad Saddiq Odeh:

“The people in the second group of the terrorist cells, the ones committing the act, are people who have less skills to offer than the first group…the people of the second group are viewed as being expendable.”

Counter-Surveillance

As a direct result of the East Africa bombings, the U.S. Department of State’s Diplomatic Security Service (DSS) implemented the “The Surveillance Detection Program” at diplomatic facilities worldwide.  One year after those bombings, the first Surveillance Detection Teams (SDTs) were launched. The SDTs comprised of local nationals, either individuals direct-hired by the mission, or provided by a security contractor, who operate under the direct supervision of the DSS Regional Security Officer at post.  According to DSS officials, “they work in plain clothes, on foot and in and in unmarked vehicles, as an almost invisible element poised to detect suspicious activities that often precede an attack.  Utilizing tools such as digital video cameras, night vision devices and even disguises, they conduct their operations 24 hours a day, 7 days a week.”

Domestically, state and local government facilities obviously do not have comparable security budgets as their federal counterparts stationed overseas.  Notwithstanding, it does not imply that domestic government facilities are less threatened by surveillance and do not require similar counter-surveillance measures (Oklahoma City bombing being just one example).  More than ever, local security guard forces are receiving training on threat detection and counter-surveillance methods. Even the private sector has started to embrace the need for understanding these concepts.  

The Department of Homeland Security offers the following list of suspicious signs of surveillance indicators:

• Multiple sightings of the same suspicious person, vehicle, or activity, separated by time, distance, or direction
• Individuals who stay at bus or train stops for extended periods while buses and trains come and go
• Individuals who carry on long conversations on pay or cellular telephones
• Individuals who order food at a restaurant and leave before the food arrives or who order without eating
• Joggers who stand and stretch for an inordinate amount of time
• Individuals sitting in a parked car for an extended period of time
• Individuals who don't fit into the surrounding environment because they are wearing improper attire for the location or season

• Individuals drawing pictures or taking notes in an area not normally of interest to a tourist or showing unusual interest in or photographing security cameras, guard locations, or watching security reaction drills and procedures
• Individuals who exhibit suspicious behavior, such as staring or quickly looking away from individuals or vehicles as they enter or leave facilities or parking areas

Terrorists may also employ aggressive surveillance techniques, such as making false phone threats, approaching security checkpoints to ask for directions, or "innocently" attempting to smuggle nonlethal contraband through checkpoints. The terrorists intend to determine firsthand the effectiveness of search procedures and to gauge the alertness and reaction of security personnel.

Conclusion

The threat from terrorism has not subsided.  If anything, the chance of attack against U.S. targets has increased.  As long as there are those who would wish to cause pre-meditated harm to others, pre-operational surveillance will continue to be a necessary part of the terrorist planning cycle.  Understanding the techniques employed and developing sound counter-surveillance measures are the best way to thwart an attack before it happens.